General Data Protection Regulations
The General Data Protection Regulations (GDPR) replaced the Data Protection Act 1998 (DPA) which came into force on 25th May 2018.
Processing Personal Data
The Data Protection Principles will remain largely the same and the University will still need to ensure personal data is;
- Obtained fairly & lawfully
- Processed for specified & lawful purposes
- Adequate, relevant and not excessive
- Kept accurate and up to date
- Kept no longer than necessary
- Processed in accordance with the data subject’s rights
- Kept safe & secure
- Not transferred outside the EEA.
In addition to this, the GDPR will encourage a more proactive and documented approach to compliance. This means the University will have to keep records of the personal data it holds and how that data is processed. The University takes these statutory obligations seriously and will;
- Implement policies, procedures, processes and training to promote ‘data protection by design and by default’.
- Have appropriate contracts in place when outsourcing functions that involve the processing of personal data.
- Maintain records of the data processing that is carried out across the organisation.
- Document and report personal data breaches.
- Carry out Data Protection Impact Assessments on ‘high risk’ processing activities.
The University will continue to be regulated by the Information Commissioners Office (ICO) with regards to data protection.
Reporting a Data Protection Breach
If you suspect there has been a breach, you must report it without delay to: Itshelp@hope.ac.uk using subject header: DATA BREACH
For further guidance on what you need to report and what to do if you discover a breach outside of core working hours, please see the University's GDPR Data Breach Procedure.
The University must report a breach of data to the Information Commissioners Office within 72 hours of discovering the breach. DO NOT DELAY INFORMING THE UNIVERSITY IF YOU SUSPECT A BREACH.
The Information Commissioners Office (ICO) is the UK's independent authority set up to uphold information rights in the public interest and data privacy for individuals.
There are also toolkits available to help staff working with personal data - Think.Check.Share.Communicating the Importance of Information Security to Staff
Guidance For University Staff
Further information about how to ensure compliance with GDPR can be found in the Staff Guidance on Data Protection booklet
More practical advice about handling personal data is available in the ?Data Protection Do's and Don'ts Guide
Data privacy should be considered as part of any project or activity which involves processing personal data to ensure data protection is a key consideration from the outset. A Data Protection Impact Assessment (DPIA) can be used as a tool to assist with this process:
The following schedules provide detailed information about how long the University keeps its data before disposing of it: